More Related Content Similar to Website Impersonation Attacks. Who is REALLY Behind That Mask? (20) More from London School of Cyber Security (20) Website Impersonation Attacks. Who is REALLY Behind That Mask?2. © 2013 Jason Mortensen Attacking Web Authentication - Slide 2
How can you be certain that the people using your web
applications are really the legitimate users?
Who’s REALLY Behind That Mask?
Source: Flickr, user SklathillSource: Flickr, user chrisjohnbeckett
It isn’t hard to impersonate other users to web
applications if authentication or session
management isn’t implemented correctly
3. © 2013 Jason Mortensen Attacking Web Authentication - Slide 3
How web authentication and session management
works
Attack techniques
Attacking authentication
Attacking session management
Countermeasures
Summary
Agenda
4. © 2013 Jason Mortensen Attacking Web Authentication - Slide 4
HTTP is a “stateless” protocol. The server doesn’t
remember anything about you after each request.
Challenge: How do you track user identity or other
details across multiple page requests?
Solution: Authenticate users, then use session
information (usually cookies) to track unique users
How Web Authentication Works
Authentication:
Password provided,
cookie returned
Session Management:
Cookie used for rest of
session
1
2User
Username
Password1
2 Web Application
Welcome!
5. © 2013 Jason Mortensen Attacking Web Authentication - Slide 5
Authentication
Authentication vs. Session Management
Session Management
“Prove that you are who you say
you are”
Keeping track of a user’s activity
across multiple interactions with a
web application
6. © 2013 Jason Mortensen Attacking Web Authentication - Slide 6
How web authentication and session management
works
Attack techniques
Attacking authentication
Attacking session management
Countermeasures
Summary
Agenda
7. © 2013 Jason Mortensen Attacking Web Authentication - Slide 7
Authentication
Password guessing
Attacking password reset
SQL injection authentication bypass
Social engineering
Keystroke loggers
Network sniffing
Session management
Attacking session tokens
Cookie stealing and replay
Cross Site Request Forgery (CSRF)
Clickjacking
Session Fixation
Attack Techniques
8. © 2013 Jason Mortensen Attacking Web Authentication - Slide 8
Attacking
Authentication
9. © 2013 Jason Mortensen Attacking Web Authentication - Slide 9
Passwords are the most common way to authenticate
to web applications
Weak passwords are a classic way that web
applications are compromised
Password Guessing
Most Popular Passwords of 2012 (According to research by SplashData)
password
123456
12345678
abc123
qwerty
monkey
letmein
dragon
111111
baseball
iloveyou
trustno1
1234567
sunshine
master
123123
welcome
shadow
ashley
football
jesus
michael
ninja
mustang
password1
10. © 2013 Jason Mortensen Attacking Web Authentication - Slide 10
Tools are readily available to automate web password
guessing
Examples: Hydra, Brutus, and Webcracker
Word lists are available for foreign languages, terms
related to sports, movies, occupations, hobbies, etc.
Password Guessing
Types of password guessing:
Vertical
One username,
guessing many
passwords
Horizontal
One password,
guessing with
many usernames
Diagonal
Many
usernames,
guessing with
many passwords
11. © 2013 Jason Mortensen Attacking Web Authentication - Slide 11
Many web sites allow you to reset a password by
answering a “secret question”
Essentially a backup password that is usually much
weaker than the real password
The answers to secret questions are often easy to
guess or determine
Some answers can be found using social
media sites such as Facebook
1 in 80 chance of guessing answer according to one
study (Bonneau, Joseph et. al., 2010)
Attacking Password Reset
12. © 2013 Jason Mortensen Attacking Web Authentication - Slide 12
Attacking Password Reset
Question Range of answers
What is the name
of your favorite
pet?
The top 20 dog names are Max, Buddy, Molly, Bailey, Maggie, Lucy, Jake, Rocky,
Sadie, Lucky, Daisy, Jack, Sam, Shadow, Bear, Buster, Lady, Ginger, Abby, and
Toby.
What is your
mother’s maiden
name?
There are approximately 25,000 common surnames; one in 10 U.S. citizens have
the surname Smith, Johnson, Williams, Jones, Brown, Davis, Miller, Wilson, Moore,
Taylor, Anderson, Thomas, Jackson, White, Harris, Martin, Thompson, Garcia,
Martinez, Robinson, Clark, Rodriguez, Lewis, Lee, Walker, Hall, Allen, or Young.
What street did you
grow up on?
The 15 most common street names are Second/2nd, Third/3rd, First/1st,
Fourth/4th, Park, Fifth/5th, Main, Sixth/6th, Oak, Seventh/7th, Pine, Maple, Cedar,
Eighth/8th, and Elm.
What was the make
of your first car?
Most cars are built by Acura, Audi, BMW, Buick, Cadillac, Chevrolet, Chrysler,
Daewoo, Dodge, Ford, GMC, Honda, Hummer, Hyundai, Infiniti, Isuzu, Jaguar,
Jeep, Kia, Land Rover, Lexus, Lincoln, Mazda, Mercedes-Benz, Mercury,
Mitsubishi, Nissan, Oldsmobile, Plymouth, Pontiac, Porsche, Saab, Saturn,
Subaru, Suzuki, Toyota, Volkswagen, or Volvo.
What is your
favorite color?
There are around 100 common colors, even considering colors such as taupe,
gainsboro, and fuschia.
Source: Syngress.com, “Using Secret Questions”
13. © 2013 Jason Mortensen Attacking Web Authentication - Slide 13
George Bronk Example
Cyberstalking - 46 women across
17 states
Used information posted to
Facebook to answer password
reset questions
Broke into email accounts, then
searched for nude and semi-nude
photos.
Distributed nude photos to the
victim’s contact list.
Attacking Password Reset
14. © 2013 Jason Mortensen Attacking Web Authentication - Slide 14
Sarah Palin 2008 Email Hack Example
Personal Yahoo! email account
compromised during 2008
presidential campaign
Password reset questions were
based on biographical data readily
available on the Internet
Birthdate
Home zip code
Where she met husband (high
school)
Attacking Password Reset
Source: Flickr user Brett Beanan; bbeanan
15. © 2013 Jason Mortensen Attacking Web Authentication - Slide 15
SQL Injection occurs when an attacker
passes database instructions in
parameters that are used in database
queries made by the application
SQL Injection Authentication Bypass
SQL Injection can be used to bypass authentication
A popular method for bypassing authentication is to
enter the following in a login field:
‘ or 1=1--
16. © 2013 Jason Mortensen Attacking Web Authentication - Slide 16
SQL Injection Authentication Bypass
Database
Web
Application
Attacker
Attacker injects SQL
statement into login form
Application builds SQL
query with user input
SELECT Count(*) FROM users
WHERE username='admin'
AND password='' or 1=1--'"
1 2
Database returns “true”
since 1=1 is evaluated for
the password condition.
The attacker is
authenticated as admin.
3
17. © 2013 Jason Mortensen Attacking Web Authentication - Slide 17
Other Authentication Attacks
Social Engineering
Trick people into divulging
confidential information
Keystroke Loggers
Software or hardware that watches
everything you type (esp. passwords)
Example: Student from Bucks College that changed grades
Network Sniffing
Eavesdrop on network traffic to
steal passwords or session cookies
Source: celalteber;
stock.xchng
Source: Flickr user Lars P.
18. © 2013 Jason Mortensen Attacking Web Authentication - Slide 18
Attacking
Session Management
19. © 2013 Jason Mortensen Attacking Web Authentication - Slide 19
After a user authenticates, session tokens identify the
user in subsequent page requests
Session information is stored in cookies, URLs, or in
hidden HTML form elements
Usually a random identifier, but some web sites store
other details about the user
Attacking Session Tokens
Cookies
URL
Hidden Field
http://www.example.com/en/mk?sessid=83958147
<input type=“hidden” name=“username”
value=“jrholland”>
Set-Cookie: userid=20459; path=/;
Expires=Sun, 08-Feb-2015 01:54:39 GMT
20. © 2013 Jason Mortensen Attacking Web Authentication - Slide 20
Attackers can modify session tokens in cookies, URLs,
and hidden fields
Session IDs may be predictable or guessable
Session IDs that aren’t predictable may still be guessed
by brute force guessing the entire key space
Account lockout mechanisms are not triggered by brute
force guessing session IDs
End result is always the same = Impersonate the
legitimate user and hijack their session
Attacking Session Tokens
21. © 2013 Jason Mortensen Attacking Web Authentication - Slide 21
Example
You log into an application several times and are
assigned the following session IDs
Attacking Session Tokens
Set-Cookie: unique_id=296410995833; expires=Tuesday, 13-Aug-2013 09:50:35 GMT; path=/portal
Set-Cookie: unique_id=296410995886; expires=Tuesday, 13-Aug-2013 09:50:54 GMT; path=/portal
Set-Cookie: unique_id=296410995919; expires=Tuesday, 13-Aug-2013 09:51:41 GMT; path=/portal
Set-Cookie: unique_id=296410995944; expires=Tuesday, 13-Aug-2013 09:53:13 GMT; path=/portal
Set-Cookie: unique_id=296410995971; expires=Tuesday, 13-Aug-2013 09:54:01 GMT; path=/portal
Set-Cookie: unique_id=296410996023; expires=Tuesday, 13-Aug-2013 09:54:47 GMT; path=/portal
Set-Cookie: unique_id=296410996045; expires=Tuesday, 13-Aug-2013 09:55:25 GMT; path=/portal
Set-Cookie: unique_id=296410996089; expires=Tuesday, 13-Aug-2013 09:57:25 GMT; path=/portal
Set-Cookie: unique_id=296410996113; expires=Tuesday, 13-Aug-2013 09:58:52 GMT; path=/portal
Set-Cookie: unique_id=296410996139; expires=Tuesday, 13-Aug-2013 10:01:25 GMT; path=/portal
Set-Cookie: unique_id=296410996196; expires=Tuesday, 13-Aug-2013 10:02:43 GMT; path=/portal
See the incrementing session ID values?
Not difficult to guess other valid session IDs.
22. © 2013 Jason Mortensen Attacking Web Authentication - Slide 22
Example – Payroll system that
allows employees to view their
own pay information
After logging in, the system
stored employee’s ID number
in a cookie
Simply change ID number to
view another user’s payroll
information
Cookie also included an
“admin=N” flag. Oops!
Attacking Session Tokens
Information Exposed
Full name
Social Security Number
Home address
Salary
Bonus payouts
Bank account information
Number of tax
exemptions
23. © 2013 Jason Mortensen Attacking Web Authentication - Slide 23
Cookies can be stolen in several ways, including cross
site scripting, network sniffing, or harvesting from other
web sites (on a shared domain or corporate network)
Once stolen, the attacker replays the cookie to
impersonate the legitimate user
Cookie Stealing and Replay
Encrypted cookies don’t stop
an attack… the attacker just
needs to replay the “blob”
24. © 2013 Jason Mortensen Attacking Web Authentication - Slide 24
Cookie Stealing and Replay
Victim
Cross Site Scripting (XSS)
Attacker
http://
Attacker sends victim a URL
with a malicious script
embedded
Victim clicks URL. Malicious
script runs in the victim’s
browser.
http://
Victim’s
Cookie
Script tells victim’s browser to quietly
send the attacker a copy of cookie
XSS Vulnerable
Site
Victim’s
Cookie
XSS Vulnerable
Site
Welcome!
Attacker replays the victim’s cookie
and is able to impersonate the victim
Steal
Cookie
Replay
Cookie
25. © 2013 Jason Mortensen Attacking Web Authentication - Slide 25
Vulnerability that forces victims to execute unwanted
actions on a web application
Leverages the victim’s authentication to perform
actions
Browser takes action “in the background”, usually
without the user’s knowledge that an attack
occurred
The target of the attack is other users, not the
vulnerable web application itself
Cross Site Request Forgery (CSRF)
26. © 2013 Jason Mortensen Attacking Web Authentication - Slide 26
Samy – MySpace Worm (CSRF + XSS)
Posted Javascript code in MySpace profile – Executed each
time someone viewed the profile
Code designed to add Samy as a friend, then replicate the
Javascript
Over 1 million “friends” within 24 hours
Corporate document sharing web site (CSRF + XSS)
Submit Javascript in description field when uploading document
Victim’s browser instructed to grant permissions to the attacker
Attack ran silently in the background with no user interaction
Cross Site Request Forgery - Examples
27. © 2013 Jason Mortensen Attacking Web Authentication - Slide 27
Other Session Related Attacks
Clickjacking
Uses transparent web page layers to trick
victim into clicking a button or link on
another page
Session Fixation
Allows attacker to set session ID that is
then used by victim
Attacker determines that
example.com is
vulnerable.
Attacker sends the
victim a link containing
a fixed session ID.
http://example.com/
?SID=23456
Victim clicks the link, then
logs in as normal. The app
uses the fixed session ID.
Attacker can use the fixed
session ID to impersonate
the victim.
http://example.com/
?SID=23456
Welcome!
Session Fixation
Clickjacking
28. © 2013 Jason Mortensen Attacking Web Authentication - Slide 28
How web authentication and session management
works
Attack techniques
Attacking authentication
Attacking session management
Countermeasures
Summary
Agenda
29. © 2013 Jason Mortensen Attacking Web Authentication - Slide 29
Countermeasures
30. © 2013 Jason Mortensen Attacking Web Authentication - Slide 30
Use stronger-than-password authentication
Examples include digital certificates, one time password systems,
or using text messaging to send the user a one time login code
Implement strong session management practices
Session IDs must be unique and non-predictable
Use short session timeouts; 30 minutes or less is standard
Implement a logout function that cancels the session
Configure cookies to use the Secure and HttpOnly flags
Implement secure programming practices
Validate all input for type, length, acceptable values, and encode
all output
Use stored procedures instead of building SQL strings in code
Implement secure password reset functions
Use the OWASP Developer Guide from owasp.org
Key Countermeasures
31. © 2013 Jason Mortensen Attacking Web Authentication - Slide 31
Take action after a series of failed login attempts
Lock accounts after X failed attempts
Slow down login attempts instead, such as requiring a
CAPTCHA for each subsequent password attempt
Use SSL/TLS to encrypt network traffic
Monitor audit logs
Look for patterns that indicate repeated password or session
ID guessing
Use “framebusting” techniques to prevent clickjacking
Educate users about phishing, social engineering
Other Countermeasures
32. © 2013 Jason Mortensen Attacking Web Authentication - Slide 32
Countermeasure Warnings
Stronger-than-password
Authentication
Doesn’t address session management attacks, and can lead to a
false sense of security
Strong Session Management Use built-in session management mechanisms, as custom session
management routines can be difficult to implement securely
Secure Programming Practices Security needs to be built into all phases of the software
development lifecycle
Take Action After X Failed
Logins
Attackers can create a denial-of-service by intentionally causing
user accounts to become locked
SSL/TLS Network Encryption Encrypt the entire session to protect authentication (password)
AND session tokens (cookies)
Monitor Audit Logs Review audit logs regularly in order to be familiar with normal
usage patterns
Framebusting Techniques Not all framebusting techniques are reliable; see
https://www.owasp.org/index.php/Clickjacking for
recommendations
Educate Users Users will often be the weakest link in any security program
Countermeasure Warning
33. © 2013 Jason Mortensen Attacking Web Authentication - Slide 33
Countermeasures Summary
Stronger-than-password Authentication X X X X X
Strong Session Management X X
Secure Programming Practices X X X X X
Take Action After X Failed Logins X
SSL/TLS Network Encryption X
Monitor Audit Logs X X X
Framebusting Techniques X
Educate Users X
Password
Guessing
SQLInjectionAuth
Bypass
Keystroke
Loggers
Network
Sniffing
AttackingSession
Tokens
CookieStealing
andReplay
Social
Engineering
Countermeasures
Threats
Attacking
PasswordReset
CrossSiteRequest
Forgery
Clickjacking
SessionFixation
Authentication Session Management
34. © 2013 Jason Mortensen Attacking Web Authentication - Slide 34
How web authentication and session management
works
Attack techniques
Attacking authentication
Attacking session management
Countermeasures
Summary
Agenda
35. © 2013 Jason Mortensen Attacking Web Authentication - Slide 35
There are numerous ways to attack web authentication
and session management, but there are also ways to
mitigate the threat
ALWAYS design security into the application from the
very beginning!
Summary
36. © 2013 Jason Mortensen Attacking Web Authentication - Slide 36
Questions?